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A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) OR THIRTY (30) DAYS, 
WHICHEVER IS LONGER, FROM THE MAILING DATE OF THIS COMMUNICATION. 
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after SIX (6) MONTHS from the mailing date of this communication. 

- If NO period for reply is specified above, the maximum statutory period will apply and will expire SIX (6) MONTHS from the mailing date of this communication. 
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earned patent term adjustment. See 37 CFR 1.704(b). 

Status 

1 )S Responsive to communication(s) filed on 20 June 2003 . 
2a)D This action is FINAL. 2b)^ This action is non-final. 

3) D Since this application is in condition for allowance except for formal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quayle, 1935 CD. 11, 453 O.G. 213. 

Disposition of Claims 

4) ^ Claim(s) 1-25 is/are pending in the application. 

4a) Of the above claim(s) is/are withdrawn from consideration. 

5) D Claim(s) is/are allowed. 

6) E3 Claim(s) 1-25 is/are rejected. 

7) D Claim(s) is/are objected to. 

8) D Claim(s) are subject to restriction and/or election requirement. 

Application Papers 

9) D The specification is objected to by the Examiner. 

10)^ The drawing(s) filed on 20 June 2003 is/are: a)D accepted or b)K objected to by the Examiner. 

Applicant may not request that any objection to the drawing(s) be held in abeyance. See 37 CFR 1 .85(a). 

Replacement drawing sheet(s) including the correction is required if the drawing(s) is objected to. See 37 CFR 1.121(d). 
1 !)□ The oath or declaration is objected to by the Examiner. Note the attached Office Action or form PTO-152. 

Priority under 35 U.S.C. § 119 

12)D Acknowledgment is made of a claim for foreign priority under 35 U.S.C. § 119(a)-(d) or (f). 
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1 .□ Certified copies of the priority documents have been received. 

2. Q Certified copies of the priority documents have been received in Application No. . 

3. D Copies of the certified copies of the priority documents have been received in this National Stage 

application from the International Bureau (PCT Rule 17.2(a)). 
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1 DETAILED ACTION 

2 

3 Claims 1 - 25 are pending. 
4 

5 Drawings 

6 

7 Figures 1 and 2 should be designated by a legend such as -Prior Art- because 

8 only that which is old is illustrated. See MPEP § 608.02(g). Corrected drawings in 

9 compliance with 37 CFR 1.121(d) are required in reply to the Office action to avoid 

10 abandonment of the application. The replacement sheet(s) should be labeled 

1 1 "Replacement Sheet" in the page header (as per 37 CFR 1 .84(c)) so as not to obstruct 

12 any portion of the drawing figures. If the changes are not accepted by the examiner, the 

13 applicant will be notified and informed of any required corrective action in the next Office 

14 action. The objection to the drawings will not be held in abeyance. 
15 

16 



1 7 Claim Rejections - 35 USC § 103 

18 

19 The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 

20 obviousness rejections set forth in this Office action: 

21 (a) A patent may not be obtained though the invention is not identically disclosed or described as set 

22 forth in section 102 of this title, if the differences between the subject matter sought to be patented and 

23 the prior art are such that the subject matter as a whole would have been obvious at the time the 

24 invention was made to a person having ordinary skill in the art to which said subject matter pertains. 

25 Patentability shall not be negatived by the manner in which the invention was made. 
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1 

2 Claims 1 - 6, 8 - 13, 15 - 23, and 25 are rejected under 35 U.S.C. 103(a) as 

3 being unpatentable over CERT CC, "CERT Advisory CA-2000-02 Malicious HTML 

4 Tags Embedded in Client Web Requests" (CERT-Advisory) in view of CERT CC, 

5 "Understanding Malicious Content Mitigation for Web Developers" (CERT). 

6 

7 Regarding claim 8, CERT-Advisory discloses: 

8 receiving an HTTP request at a server computer, wherein the HTTP request 

9 includes input data that was not generated by the server computer (CERT-Advisory, 

10 page 1, Systems Affected, Overview; page 2, pars. 2-4). 

1 1 CERT-Advisory discloses, in general, that the Server site attempts to filter the 

12 incoming HTTP request according to the criteria of removing dangerous meta- 

13 characters, so as to prevent their sites from being attacked, "abused", by malicious data 

14 or a cross-site scripting attack (CERT-Advisory, page 5, Solutions for Web Page 

1 5 Developers and Web Site Administrators). While one of ordinary skill in the art would 

16 rightly and easily conclude from the context of CERT-Advisory that the incoming meta- 

17 characters being filtered are being evaluated against known scripting constructs or 

1 8 characters, CERT-Advisory does not explicitly say the evaluation is to determine if the 

1 9 input data includes a script construct, wherein the script construct indicates that HTTP 

20 request is part of a cross-site scripting attack. Instead, CERT-Advisory directs the 

21 readers attention to the detailed solution (found in CERT) for preventing cross-site 

22 scripting attacks in response to receiving HTTP requests comprising malicious scripts. 
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1 CERT discloses the specifics for mitigating cross-site scripting attacks by 

2 evaluating the incoming data requests to determine the presences of dangerous meta- 

3 characters, indicating the presence of malicious scripts (CERT, page 1, par. 1, Problem 

4 Summary, pars. 2-3; page 2, Mitigation Summary; page 3, Identifying the Special 

5 Characters; page 4, Filtering Dynamic Content). CERT, thus clearly demonstrates that 

6 the filtering of input data for dangerous meta-characters is an evaluation of the 

7 presence of malicious script constructs. 

8 It would have been obvious to one of ordinary skill in the art to combine the 

9 teachings of CERT, for evaluating input data for script constructs - in addition to other 

10 specific teachings of CERT for mitigating cross-site scripting attacks - with the system of 

1 1 CERT-Advisory. This would have been obvious because CERT-Advisory explicitly says 

12 to include the reference of CERT so as to successfully mitigate cross site scripting 

13 attacks (CERT-Advisory, page 5, par. 6). 
14 

15 Regarding claim 9, the combination of CERT-Advisory and CERT disclose: 

1 6 at least one of: receiving a query string that includes at least one query string 

17 variable; receiving a cookie; receiving one or more headers in the HTTP request; and 

18 receiving one or more form fields (CERT-Advisory, page 2, pars. 2-5; CERT, page 2, 

19 Mitigation Summary). 
20 

21 Regarding claim 10, the combination of CERT-Advisory and CERT disclose: 
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1 at least one of: searching the HTTP request for one or more character 

2 combinations that correspond to a script construct; searching the HTTP request for an 

3 event that includes a script construct; searching server variables that derive input data 

4 from another source; and searching the HTTP request for an expression that includes a 

5 script construct (CERT, page 3, Identifying the Special Characters; page 4, Filtering 

6 Dynamic Content). 
7 



8 Regarding claim 1 1 , the combination of CERT-Advisory and CERT disclose: 

9 searching the input data for a script construct (CERT, page 3, Identifying the 
10 Special Characters; page 4, Filtering Dynamic Content). 

11 

12 Regarding claim 12, the combination of CERT-Advisory and CERT disclose: 

13 searching for patterns associated with scripts (CERT, page 3, Identifying the 

14 Special Characters; page 4, Filtering Dynamic Content). 
15 

16 Regarding claim 13, the combination of CERT-Advisory and CERT disclose: 

17 refraining from executing the HTTP request (CERT-Advisory, page 2, par. 1 ; 

18 page 5, pars. 3-6). In addition to plainly refraining from executing a compromised HTTP 

19 request, CERT-Advisory also discloses the filtering and/or recoding of a compromised 

20 request into a well-formed HTTP request, thus refraining from executing the 

21 compromised HTTP request. 
22 
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1 Regarding claim 15, the combination of CERT-Advisory and CERT disclose: 

2 encoding the user input including the script construct to render the script inert 

3 (CERT-Advisory, page 2, par. 1; page 5, pars. 3-6; CERT, page 3, Identifying the 

4 Special Characters; page 4, par. 2). 
5 

6 Regarding claim 16, the combination of CERT-Advisory and CERT disclose: 

7 evaluating the HTTP request to determine in the input data includes a marker of 

8 active content (CERT, page 2, Mitigation Summary - particularly steps 2 and 4; page 3, 

9 Identifying the Special Characters). 
10 

1 1 Regarding claim 17, the combination of CERT-Advisory and CERT disclose: 

1 2 determining if the marker of active content is within a particular element, wherein 



1 3 the marker of active content is harmful only when rendered within the particular element 

14 (CERT, page 2, Mitigation Summary - particularly steps 2 and 4 (identifying special 

15 characters, filtering specific characters in dynamic elements; page 3, Identifying the 

16 Special Characters). 
17 

18 Regarding claims 1 - 3, 5, 6, 18 - 23, and 25, they are method and method 

19 embodied on computer readable medium claims corresponding to the system claims 1 - 

20 17, and they are rejected, at least, for the same reasons. 
21 
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1 Regarding claim 4, the combination of CERT-Advisory and CERT disclose: 

2 evaluating only a portion of the request that includes the data derived from an outside 

3 source (CERT, page 2, Mitigation Summary). The combination of CERT-Advisory and 

4 CERT discloses the need to evaluate data comprising untrusted input that could be 

5 transmitted in an HTTP request. 
6 

7 Claims 7, 14, and 24 are rejected under 35 U.S.C. 103(a) as being 

8 unpatentable over the combination of CERT-Advisory and CERT in view of 

9 Fischman et al. (Fischman), U.S. Patent Publication 2003/0097588. 

10 



1 1 Regarding claim 14, the combination of CERT-Advisory and CERT does not 

12 disclose the logging of attacks to the system. Namely, the combination of CERT- 

1 3 Advisory and CERT does not disclose wherein preventing the cross-site scripting attack 

1 4 if the input data includes a script construct further comprises logging an event at the 

1 5 server computer 

16 Fischman discloses a method wherein attacks to the security of a server system 

17 are logged. This allows the operators of the system to access the log and become 

18 aware of problems and to make proper adjustments if necessary (Fischman, par. 45). 

1 9 It would be obvious to one of ordinary skill in the art to employ the method of 

20 Fischman for logging system attacks within the system of the combination of CERT- 

21 Advisory and CERT. This would have been obvious, because one of ordinary skill in 

22 the art would have been motivated to provide the proactive benefits of logging taught by 
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1 Fischman to the operators of the attacked web server of the combination CERT- 

2 Advisory and CERT, thus enabling the server operators to access a an attack log and 

3 make system improvements. 
4 

5 Conclusion 

6 

7 The prior art made of record and not relied upon is considered pertinent to 

8 applicant's disclosure: 

9 See Notice of References Cited 

10 

1 1 A shortened statutory period for reply is set to expire 3 months (not less than 90 

1 2 days) from the mailing date of this communication. 

1 3 Any inquiry concerning this communication or earlier communications from the 

14 examiner should be directed to Jeffery Williams whose telephone number is (571) 272- 

15 7965. The examiner can normally be reached on 8:30-5:00. 

16 If attempts to reach the examiner by telephone are unsuccessful, the examiner's 

17 supervisor, Emmanuel Moise can be reached on (571) 272-3865. The fax phone 

18 number for the organization where this application or proceeding is assigned is (703) 

19 872-9306. 
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Information regarding the status of an application may be obtained from the 



2 Patent Application Information Retrieval (PAIR) system. Status information for 

3 published applications may be obtained from either Private PAIR or Public PAIR. 

4 Status information for unpublished applications is available through Private PAIR only. 

5 For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 

6 you have questions on access to the Private PAIR system, contact the Electronic 

7 Business Center (EBC) at 866-217-9197 (toll-free). 



9 
10 
11 
12 
13 



Jeffery Williams 
Assistant Examiner 
Art Unit 2137 





